-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsummary.tex
15 lines (8 loc) · 2.4 KB
/
summary.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
\section{Summary}
Security experts and hackers have spent a lot of time investigating how average people create their passwords. They are one step ahead of those who have only little knowledge of information theory and statistics. Passwords that seem strong and random to an user can often be easily cracked with todays computer hardware.
The entropy is good indicator for the strength of a password, given that it was randomly generated. Humans however are not very good at making truly random decisions. Their passwords are often influenced by the world around them. This is where the entropy gets inaccurate. Tools like zxcvbn fill the gap of making realistic security assumptions about personalised passwords.
From the perspective of an user one should try to use random password generators from trustworthy sources and have a different password for each use case. In combination with password managers that keep track of accounts, one can stay assumably safe without complicating their lives. For passwords that the user makes up on their own, it is best to validate the password strength by a tool like zxcvbn. There are a lot of other password validators that do not understand the difference between the entropy and the realistic strength of a personalised password.
From the perspective of a security officer new problems can evolve when forcing people to use a specific set of character types. Instead of judging a password based on its character complexity, its much more useful to rate the strength of the password as a whole. Other password related measures can be made outside the actual choice of the passwords. Stretching and Salting secure against the usage of hash tables and decrease possible attack rates.
From the perspective of an hacker one should differentiate between attacking a large set of passwords and attacking a single user. Even large password lists can be processed rather quickly with computers available today. Afterwards the attack can be expanded to pure brute-force and dictionary attacks until the effort stops being feasible. These attacks can be made more efficient by using common topologies and patterns. Attacking a single user puts a lot more work into the gathering of information than the execution of the attack itself.
In the end a password needs to be more secure than the value of information it is protecting, so that even the most skilled hacker has no feasible reason to continue the attack.
\newpage